Black Hat Hacking Hotel Doors With Open-Source Arduino

By using open-source Arduino tools, security researchers are exposing security gaps in door-lock systems used by millions of hotels.

LAS VEGAS  For millions of travelers and road warriors, the ubiquitous hotel key card is the primary, and essentially the only, way to access their rooms at the end of day. However, security researcher Cody Brocious believes the current systems used to secure hotel doors throughout the United States and elsewhere are severely flawed.

Speaking at the Black Hat security conference here, Brocious demonstrated how locks from Onitya company that sells security products to hotels and other businessescan easily be bypassed. At the show, Brocious detailed the primary security flaws that allowed him to bypass Onity locks and gain access to rooms.

Brocious used an open-source tool known as Arduino, a portable programming platform. Arduino was used as a substitute for the commercial portable programmer that an Onity lock would typically require. Brocious explained that the Onity locks have a serial hardware connection that is easily accessible, as well.

In addition to the Arduino tool, Brocious used an oscilloscope that allowed him to see what was happening in the lock whenever a key card was put in and the door opened or closed. He was able to determine through his research that the underlying firmware on the lock does not require any form of authentication to arbitrarily access the memory of the lock.

Further reading

This means it is possible to read out every bit of information that is on the lock, which makes it possible for anyone to gain access or make a key.

In theory, programming for the lock should go over a secure channel, rather than doing direct unencrypted memory access, said Brocious. The problem, according to his research, is that the existing Onity lock design does not easily allow for that, and there is no easy way to update the firmware.

Another potential option is to actually provide physical security on the door lock. For example, the company could make the serial port harder to access. However, with 5 million of these locks in use today, Brocious said this would be an expensive and challenging way to add additional security.

The actual door locks are only half the problem exposed by Brocious. The card keys are also at risk. Typical card keys in the Onity system use only 32-bit key encryption making them easy to decrypt, according to Brocious.

"The system is broken at every layer," said Brocious.

The severity of the issue and its high impact is what led Brocious to choose to release his research at Black Hat. In addition to his research, he is also releasing a software tool so that others can continue or expand on his efforts.

"Something needs to be done about this problem, and I didn't want to put it out there in a way that could be defeated by process," said Brocious. "No doubt, this vulnerability has been found before, and it has been in the locks for years."

Brocious added: I'd be surprised if this hasn't been used by malicious actors in the past.

What Brocious is hoping to achieve from this disclosure is not a mass string of hackers getting unauthorized access to hotel rooms, but rather some kind of fix and industry response.

"I'm saying that this is what you're vulnerable [to], so come up with a way to solve the problem," said Brocious.